ban hackers

Quote

Post by billynoah » Mon Aug 17, 2015 5:27 pm

i'm sick to death of people trying to hack my clients' opencart admin. this bans by ip after 6 consecutivefailed login attempts. you can alter the amount of attempts allowed in the first block of code where it reads fails >= '6'. Note - this adds an additional table to your db. reset fails or remove a row to unban. tested and working on OC 1.5.5.1 - 2.0.3.1. enjoy.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<modification>
	<id>Ban Hackers</id>
	<version>1.0.1</version>
	<vqmver>2.1.5</vqmver>
	<author>zuma design | billynoah@gmail.com</author>

	<file name="system/library/db.php">
		<operation>
			<search position="after" regex="true"><![CDATA[~(db|driver) = new~]]></search>
			<add><![CDATA[
		$table_query = $this->query("SHOW TABLES LIKE '" . DB_PREFIX . "ban_ip'");
		if (!$table_query->rows) {
			$this->query("CREATE TABLE IF NOT EXISTS `" . DB_PREFIX . "ban_ip` (
				`id` int(11) NOT NULL AUTO_INCREMENT,
				`ip` varchar(40) NOT NULL,
				`fails` int(11) NOT NULL,
				`username` varchar(40) NOT NULL DEFAULT '',
				`password` varchar(40) NOT NULL DEFAULT '',
				PRIMARY KEY (`id`),
				KEY `ip` (`ip`),
				KEY `fails` (`fails`)
			) ENGINE=MyISAM DEFAULT CHARSET=utf8");
		}
		// BANNED IPS
		if (isset($_SERVER['REMOTE_ADDR']) && $this->query("SELECT * FROM " . DB_PREFIX . "ban_ip WHERE ip = '" . $this->escape($_SERVER['REMOTE_ADDR']) . "' AND fails >= '6'")->num_rows) die;
			]]></add>
		</operation>
	</file>
	<file name="system/library/user.php">
		<operation>
			<search position="before"><![CDATA[return true;]]></search>
			<add><![CDATA[
			if ($this->db->query("SELECT * FROM " . DB_PREFIX . "ban_ip WHERE ip = '" . $this->db->escape($_SERVER['REMOTE_ADDR']) . "'")->num_rows) {
				$this->db->query("UPDATE " . DB_PREFIX . "ban_ip SET fails = 0, username = '" . $this->db->escape($username) . "', password = '' WHERE ip = '" . $this->db->escape($_SERVER['REMOTE_ADDR']) . "'");
			} else {
				$this->db->query("INSERT INTO " . DB_PREFIX . "ban_ip SET fails = 0, ip = '" . $this->db->escape($_SERVER['REMOTE_ADDR']) . "', username = '" . $this->db->escape($username) . "', password = ''");
			}
			]]></add>
		</operation>
		<operation>
			<search position="before"><![CDATA[return false;]]></search>
			<add><![CDATA[
			if ($this->db->query("SELECT * FROM " . DB_PREFIX . "ban_ip WHERE ip = '" . $this->db->escape($_SERVER['REMOTE_ADDR']) . "'")->num_rows) {
				$this->db->query("UPDATE " . DB_PREFIX . "ban_ip SET fails = fails + 1, username = '" . $this->db->escape($username) . "', password = '" . $this->db->escape($password) . "' WHERE ip = '" . $this->db->escape($_SERVER['REMOTE_ADDR']) . "'");
			} else {
				$this->db->query("INSERT INTO " . DB_PREFIX . "ban_ip SET fails = 1, ip = '" . $this->db->escape($_SERVER['REMOTE_ADDR']) . "', username = '" . $this->db->escape($username) . "', password = '" . $this->db->escape($password) . "'");
			}
			]]></add>
		</operation>
	</file>
</modification>

Image

billynoah
Active Member
Posts
762
Joined
Tue Jan 15, 2013 12:46 pm
Top

Re: ban hackers

Quote

Post by IP_CAM » Wed Aug 19, 2015 7:16 am

pushed up to the active Posts... 8)

My Github OC Site: https://github.com/IP-CAM
5'600 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.

User avatar
IP_CAM
Legendary Member
Posts
13060
Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Top

Re: ban hackers

Quote

Post by grgr » Wed Aug 19, 2015 6:39 pm

All good and well, but why is the admin folder still called admin?

My admin folders have ubsurd names that if anyone manages to guess then they really would deserve a gold star, a solid gold one about the size of a house.

The admin directory is also secured, so they would have to get past that in the first place.

Not that I'm saying that whay you have done isn't useful, so thanks.

-
Image Image Image
VIEW ALL EXTENSIONS * EXTENSION SUPPORT * WEBSITE * CUSTOM REQUESTS

User avatar
grgr
Active Member
Posts
1619
Joined
Mon Mar 28, 2011 4:08 pm
Location - UK
Top

Re: ban hackers

Quote

Post by billynoah » Wed Aug 19, 2015 11:05 pm

Security through obscurity is certainly one approach, but it is drawbacks.

One problem with renaming admin is when you have an installation with 70 vQmods - all of which look for the admin folder at the expected path.

Then there's the inconvenience of every single time you upload an extension which has an upload folder and wants things in admin.

Image

billynoah
Active Member
Posts
762
Joined
Tue Jan 15, 2013 12:46 pm
Top

Re: ban hackers

Quote

Post by grgr » Thu Aug 20, 2015 12:04 am

billynoah wrote:Security through obscurity is certainly one approach, but it is drawbacks.

One problem with renaming admin is when you have an installation with 70 vQmods - all of which look for the admin folder at the expected path.

Then there's the inconvenience of every single time you upload an extension which has an upload folder and wants things in admin.
I don't dispute any of that, it's a right pain

vQmod does have the path replace but I just open the xml files and find/replace, for the amount of admin mods used I don't find that too onerous.

If you don't want to rename the admin then I think securing the folder with a password is a sensible thing to do, it is a pain at times, but it's an even bigger pain for the gits that are trying to do you some damage.

-
Image Image Image
VIEW ALL EXTENSIONS * EXTENSION SUPPORT * WEBSITE * CUSTOM REQUESTS

User avatar
grgr
Active Member
Posts
1619
Joined
Mon Mar 28, 2011 4:08 pm
Location - UK
Top

Re: ban hackers

Quote

Post by billynoah » Thu Aug 20, 2015 12:53 am

Yeah agreed - securing with password is a good idea. For those using apache v2.4+ it's really easy with htaccess as long as you have a static ip.

Code: Select all

<RequireAny>
	require ip 123.456.789.000
</RequireAny>
Unfortunately many ISP's don't offer that for residential service.

In regards to moving admin folder - I can see how it's manageable for one user with a few vQmods - but try managing 20 or 30 stores using hundreds of unique extensions and mods and it becomes unrealistic. I added a log to a few of the stores on my personal server that would show failed login attempts and in a couple instances there were literally thousands trying usernames like "qphoria" and "daniel" and passwords like "desperate" or "admin123", etc. Clearly the work of a determined individual. So the vQmod above is a simple solution and also shows successful login attempts so you can keep track of IPs logging in successfully as well.

Another option is fail2ban - for which I wrote a free jail rule which you can find here:
http://www.opencart.com/index.php?route ... h=security

Image

billynoah
Active Member
Posts
762
Joined
Tue Jan 15, 2013 12:46 pm
Top
Post Reply
Return to “vQmods”
Who is online

Users browsing this forum: Majestic-12 [Bot] and 3 guests